How Does Horizon 7 Work?
As you learned in our “What Is Horizon 7?” article, VMware Horizon® 7 is the leading platform for Windows desktop and application virtualization, providing a consistent user experience across devices and locations while keeping corporate data secure and compliant. In this article, we’ll discuss how it works, including the various components and how they fit together.
Horizon 7 Architecture
The following diagram shows the logical architecture of a typical Horizon 7 implementation.
Horizon 7 Connection Server manages sessions between users and their virtual desktops or published applications. These published applications are hosted on Microsoft Windows Remote Desktop Session Host (RDSH) virtual machines (VMs). The Connection Server also includes the instant-clone engine, which provides single-image management with automation capabilities.
Unified Access Gateway virtual appliances provide a secure gateway so that users who are outside the corporate network can access their virtual desktops and published applications through the secure gateway rather than a VPN.
VMware App Volumes™ software can also optionally be used for capturing groups of applications that are virtually attached rather than natively installed on the virtual desktop or RDSH server.
VMware User Environment Manager™ lets you configure user-specific Windows desktop and application settings that are applied in the context of client device, location, or other conditions. Policies are enforced when users log in, launch an app, reconnect, or when some other triggering event occurs.
You can also configure folder redirection for storing personal user data, including documents, pictures, and so on.
A master image (VM) of a virtual desktop or RDSH server contains the operating system and, optionally, any applications that are best deployed as natively installed applications. The virtual desktop can contain either a Windows or a Linux operating system. Instant Clone Technology is preferred for cloning desktops and RDSH servers. View Composer (which creates linked clones) is an older cloning technology from VMware.
RDSH server farms and virtual desktop pools are created from the master image. The Horizon Agent software on the VMs communicates with the Horizon 7 servers and the clients to determine which applications and desktops to provide to which groups of users.
VMware vSphere® servers host all of these components—the various server VMs, desktop VMs, RDSH server VMs.
VMware Horizon Client™ software, used on client devices, can be downloaded for free from app stores or from VMware to install on iOS, Android, Chromebook, Windows, macOS, or Linux clients, or users can open a browser and enter the server URL to use the HTML Access web client.
Just-in Time Desktops and Apps
One of the most recent advances in desktop and application virtualization is JMP (Just-in-Time Management Platform) technologies from VMware. JMP decouples each aspect of a desktop to allow it to be managed on a per-user or per-group basis. Each component of the desktop is virtualized and managed centrally rather than separately, as is done in a traditional distributed per-VM approach.
As illustrated in the following figure, application-management containers are managed separately from the desktop OS. Similarly, user data files and OS- and application-specific configurations are decoupled from the OS and kept on separate file shares.
The following components of JMP work together to compose a just-in-time personalized desktop:
- VMware User Environment Manager™ share – A file share that stores user-specific desktop and application settings, making them available across multiple devices, Windows versions, and application instances. Application settings are imported and applied at application launch. Windows settings (such as the desktop background, desktop screensaver, keyboard settings) are imported at login. When a user quits an application, or logs out of the OS, settings are exported and saved on a file share.
- User data share – A file share that stores personal user data, documents, pictures, and so on that are redirected from specific folders inside the VM. This strategy minimizes the number of files that must be copied to the VM when the user logs in.
- VMware App Volumes™ AppStack – A read-only container for one-to-many delivery of IT-managed applications.
- For virtual desktops, AppStacks are assigned to an Active Directory user or group, and assigned AppStacks are attached to the desktop when a user logs in.
- For RDSH servers, which provide published applications and shared session-based desktops, AppStacks are assigned to the group object in Active Directory that contains the computer objects for the servers. Assigned AppStacks are attached to the RDSH server at boot time.
- Writable volume – A one-to-one, user-specific, read-and-write container for user-installed applications or for applications that require a local cache, since a writable volume appears as part of the local C: drive. Users must ordinarily have administrator permissions to install applications in a virtual desktop, just as they would for a physical desktop. However, User Environment Manager has a Permission Elevation feature that administrators can now use so that users can install applications without having to have full administrator permissions.
Important: In companies that require tight control over virtual desktops and apps, you need not provide users with a writable volume. In this case, when users log out, they lose any changes they might have made to the OS, as well as any data they might have saved to a folder location that is not redirected.
- Instant clone – A new type of cloned VM that is created using VMware vSphere® vmFork technology to rapidly clone both the memory and the disk of a running parent VM. Instant Clone Technology requires half the required steps compared to VMware View® Composer™ linked-clone technology when deploying or scaling. In VMware lab tests, an instant-clone farm of 200 RDSH servers was created in less time than View Composer took to create a single RDSH server.
- Workspace ONE leverages VMware Identity Manager, which provides application provisioning, a self-service catalog, conditional access controls, and single sign-on for SaaS, web, cloud, and native mobile applications. In addition, VMware Identity Manager provides single-sign-on access to Horizon 7 virtual desktops and published applications. Users can access the VMware Identity Manager catalog from their browsers.
When Workspace ONE is integrated with Horizon 7, users can also access the app catalog through the Workspace ONE app.
With one click in the Workspace ONE catalog, the selected published app or virtual desktop is launched in Horizon Client.
- VMware Horizon Client software is available from app stores or from VMware for iOS, Android, Chrome, Windows, Linux, and macOS so that users can access published applications and VDI desktops from any device. An HTML Access web client is also available, and it does not require installing any software on client devices.
To learn more, take a look at the following assets:
- Horizon 7 demo for IT Admins
- Expert Series video on Horizon 7
- Quick-Start Tutorial Series for VMware Horizon 7